Risk management, strategy and analysis from DeloitteCONTENT FROM OUR SPONSORPlease note: The Wall Street Journal News Department was not involved in the creation of the content below.

Text Size

Regular

Medium

Large

Google+

Print

As Cyberattacks Evolve, So Should the Corporate Response

The increased number of reported cyberattacks on businesses and the evolving nature of the breaches have led many companies to reevaluate their cybersecurity strategies, particularly with regard to preventive protocols and timely responses. Mary Galligan, a director with the Cyber Risk Services practice of Deloitte & Touche LLP, who previously served as special agent in charge of cyber and special operations in the Federal Bureau of Investigation’s New York office, discusses what C-suite executives and boards should be thinking about to strengthen their preventive cybersecurity measures. She also provides insights on how they can help mitigate operational, regulatory, business and reputational risks and develop response protocols in the event of a cyberattack.

Q. When a cyberattack strikes an organization, how should it respond?

Mary Galligan: It’s all about preparing for an event, being resilient. There needs to be a cyber-incident response plan in place that has detailed processes for coordinating efforts between different front-line functions, such as the general counsel’s office, public relations and the chief information officer’s office. Such a plan should be designed at the board level, or at least by the designated executive in charge of risk management, just like they do with other physical security or business continuity issues, such as if a hurricane strikes an important operating unit. Some executives don’t think to start by alerting the general counsel’s office, but it is the first thing I suggest they do because there can be numerous legal issues that arise from a cyberbreach. The issues can range from data breach victim notifications required by more than 47 states, to following SEC guidelines for publically traded companies and dealing with law enforcement investigations of the breach.

It’s also critical that such a plan has a far-reaching scope, and that it covers follow-on scenarios that could result from an attack. For example, when developing the plan, management should be thinking about how much risk the company can accept if systems or services have to shut down, and what technology must remain operational so the business is able to run once it recovers. It’s also important to consider how long the company can sustain operations using limited technology resources, and how quickly it can become fully operational after an attack. An effective plan puts an emphasis on preventive controls, speed of detecting a problem and rapid response.

Q. How should boards work with management to establish or update a cyber-incident response plan?

Mary Galligan: Often a plan is requested by the board, more specifically, the audit or risk committee. The board members should be focused on asking management two overarching questions: ‘How is the organization securing its systems,’ and ‘Has the organization conducted a risk assessment of its crown jewels, the assets they have to protect most, realizing that not everything can be protected?’ The board can follow up with questions focused on whether systems are secure, employees remain vigilant and the business stays resilient.

For example, boards may want to question how the organization is securing its information and determining what information is leaving the company. Management often spends time identifying what information is coming into the company but perhaps not as much time on what’s leaving it. Insider threats account for about 15% of cybersecurity incidents, and spearphishing [manipulating a user to inadvertently download malware] is still the number-one way that breaches occur. So if a large packet of data is leaving the system, questions should be asked. From a vigilance perspective, boards should consider asking if management is establishing risk and threat awareness across the enterprise and how the company detects violations and anomalies. Questions about resilience can focus on whether the organization has the ability to handle a critical cyber-incident and quickly return to normal operation.

Q. Cyber war-gaming is one tool used by the financial industry to help improve responses to cyberattacks. Were there lessons learned that can be applied to other industries?

Mary Galligan: Cyber war-gaming is a way to test the effectiveness of an existing incident response plan and identify gaps in areas such as communication and coordination. It’s a proactive approach to prepare for a cyberthreat. This past July the Wall Street community along with numerous federal government agencies participated in a full-day cyberattack simulation known as Quantum Dawn 2*. Similar to the results of many other war games, participants recognized a need for more effective communication and information-sharing among institutions and federal agencies and companies within the same industry and select third parties, such as law enforcement. The resulting report noted that the response protocol executed during the simulation allowed participants to reach consensus in a timely manner about their decision to shut down certain financial markets. On an individual company level, businesses had to decide when to allow their companies to come back on-line, in essence could they determine if the “attack” was over.

Q. With the adoption of mobile devices, laptops and cloud computing throughout companies, how are cybersecurity strategies evolving to address new threats?

Mary Galligan: Cybersecurity has moved from the firewall to the keyboard. We used to not worry about attacks because someone in a back room was protecting us. Now every person with a mobile device, a laptop or sitting at a desktop is an organizational vulnerability. What has changed is that implementing cybersecurity strategies comes down to business decisions. For example, organizations have to make a business decision about whether allowing employees to plug thumb drives into company computers is worth the risk of infecting the network with malware or allowing an employee to download information without authorization. That doesn’t mean employees should be forbidden from using thumb drives, but rather that certain procedures have to be followed, such as allowing employees to use only company-issued thumb drives, requiring drives to be signed out and creating a process for tracking the devices. Information-sharing between companies and/or between the government and private sector may become more frequent as cyberattacks increase, although risk officers will have to become more comfortable with the idea. Risk officers who recognize that cybersecurity is not just a technology issue but also a governance and policy issue, as well as an important matter for boards and the C-suite, likely will share more general risk concerns with each other.

Q. With your background in law enforcement on a national level, what misperceptions might corporate leaders have about cybersecurity?

Mary Galligan: There are two areas that often surprise executives and boards when we talk about cyberthreats. The first is how the government obtains and shares information. At least 40% of all cybersecurity breaches are identified by a third party, such as a law enforcement agency, a financial institution or a telecom carrier. This finding gives company leadership pause because they tend to believe breaches usually are discovered in-house. In addition, leadership can become frustrated when law enforcement is involved because they feel the government may not be sharing information in its entirety. But in many cases, the government is only seeing one piece of the puzzle and handing it to the company. The company may need to work with the government to put together third-party information and their own information to investigate and mitigate a breach.

The second area that sometimes surprises corporate leaders is how swiftly a breach from a cyberattack can move from being a technology issue to a business issue. On short notice, organizations are likely to face requests by law enforcement for access to networks, and at times these requests could involve legal processes and inquiries from regulators and customers. While working on these efforts, organizations have the ongoing tasks of complying with varying state data breaching laws and communicating with shareholders and the public, as well as and operating the business.

Q. What concerns do companies typically have about sharing cybersecurity information with government entities?

Mary Galligan: Currently, there is no immunity for actions companies may or may not have taken with regard to cybersecurity breaches. There is no incentive to share information with the government because often times the government is not in a position to share information back with the company and numerous adversarial legal actions can be spurred by a data breach. What’s more, many companies may be in a position of having to defend themselves to the public in government investigations related to breaches. In this regard, it will be interesting to monitor the outcome of President Obama’s Executive Order on improving critical infrastructure cybersecurity, released February 12, 2013, to see if the voluntary standards proposed by the order stimulates more information-sharing. The standards do not contain immunity provisions. The recommendations were developed to encourage information-sharing between the government and private sectors in 15 U.S. infrastructure industries, including financial services, communications, and energy and oil. Only time will tell if the government can develop better methods of sharing information with companies and if companies will be more open to sharing information with the government.

Related Deloitte Insights

As cyberthreats and incidents increase in frequency and complexity, the relatively nascent cyber insurance industry stands ready to grow. Despite the growth potential, however, uncertainty among both buyers and sellers about cyberinsurance seems to have created some speedbumps. Learn which factors and trends may affect buying decisions—such as identifying potential gaps in coverage—as well as how insurers are responding to the demands of a market characterized by evolving exposures.

The life sciences and health care industry is still in the early stages of addressing gaps in cybersecurity. Mark Ford, Deloitte Risk and Financial Advisory principal and leader of the Life Sciences & Health Care Cyber Risk Services for Deloitte & Touche LLP, discusses some key challenges to protecting the industry against cyber risk and steps to address the challenges, including making products and services more secure, getting the right talent in place, and raising cyber awareness among management and boards.

When corporations manage data intelligently, they not only can avoid security breach scenarios, but also enhance their reputations and power performance. Indeed, the developments associated with increased security risks also create opportunities for new solutions. Learn how organizations that view the business landscape through such a lens can continue to reap the benefits generated by technology and digital by consciously taking on and managing risk when it creates value for their businesses.

Views & Analysis

Although board seats don’t become available all that often, as more organizations broaden their definition of diversity the pool of potential candidates is expanding. What does it take to land such a spot? Industry and international experience, a knowledge of risk and technology issues, and personal traits that range from intellectual curiosity to unassailable integrity are just some of the qualities and qualifications that matter. Learn how to assess your viability and what steps you might take to enhance your appeal to search committees.

Continued uncertainty about the economy and increased regulation across several industries have required a more informed and efficient use of capital. Working with management, the board of directors can play a fundamental role in the capital allocation process through its oversight function, including participating in strategy development, examining risks, comparing strategy to results and focusing on key investment terms. Understand how boards can help guide the capital allocation process by challenging business plans and strategy, and reviewing capital allocation alternatives, among other efforts.

As proxy season approaches, several governance issues and proposals are likely to emerge, reflecting shareholders’ increased attention to how companies’ stances on governance matters can impact shareholder value, according to Carol Schumacher, who has held roles as investor relations (IR) officer and corporate affairs officer at a Fortune 10. She discusses shareholders’ expectations for the governance information that management provides, and what IR can do to help companies respond, in a conversation with Sanford Cockrell III, U.S. national managing partner, CFO Program, Deloitte LLP.

Editor's Choice

Boards and C-suite executives overwhelmingly see risk as having an important role in value creation, but just 17% of respondents say they are actively using risk to drive returns, according to a new global survey from Deloitte. The survey also found that senior stakeholders want chief risk officers to spend significantly more time playing the strategist role, with a majority of respondents saying their risk officers should participate more in setting the strategic direction of the company and aligning risk management strategies accordingly.

Traditionally, internal audit (IA) has focused on providing assurance with respect to known risks and the effectiveness of controls in mitigating those risks. Regulators, however, are increasingly interested in an organization’s ability to identify blind spots and other vulnerabilities that may undermine the integrity of the risk management environment, including the risk of misconduct. IA functions can play a pivotal role by substantively testing culture and identifying potential risk-related outliers that may not be visible via other means, such as supervisory frameworks, escalations, compliance assessment and testing, and previous audits.

Identifying and managing strategic risks can be a difficult task. To add to the challenge, many companies have traditionally separated their risk and strategy functions and think of risk as more of a compliance responsibility rather than a dynamic tool for value creation, business performance management and growth. However, companies that align strategy and risk can be better served to allow for a process of “strategic resiliency,” which involves anticipating, knowing and acting on risks when introducing or executing new strategies as a way of increasing the chances of success in spite of uncertainty.

About Deloitte Insights

Deloitte’s Insights for C-suite executives and board members provide information and resources to help address the challenges of managing risk for both value creation and protection, as well as increasing compliance requirements.